Sunday, May 29, 2011

I saw a post over on Technology Forensics, LLC's blog on the topic of whether an IP (internet protocol) address from a wireless router should be enough to show probable cause to issue a warrant.

I can kind if see where they are going, but whether or not a warrant is issued for any IP address is not really the issue. Whether or not the wireless connection is unsecured or not is not really the issue either or even whether the connection is wireless or wired.

To obtain a warrant to search a home, business, person vehicle or other location, the police have to establish "probable cause". Probable cause in legal terms is defined as:

"A reasonable belief that a person has committed a crime. The test the court of appeals employs to determine whether probable cause existed for purposes of arrest is whether facts and circumstances within the officer's knowledge are sufficient to warrant a prudent person to believe a suspect has committed, is committing, or is about to commit a crime. U.S. v. Puerta, 982 F.2d 1297, 1300 (9th Cir. 1992). In terms of seizure of items, probable cause merely requires that the facts available to the officer warrants a "man of reasonable caution" to conclude that certain items may be contraband or stolen property or useful as evidence of a crime. U.S. v. Dunn, 946 F.2d 615, 619 (9th Cir. 1991), cert. Denied, 112 S. Ct. 401 (1992)." http://www.lectlaw.com/def2/p089.htm

Because of the way that networking technology works, the issue might be to determine just how far probable cause should extend beyond the IP address.

I'm no lawyer, so I am just going to explore this from a practical standpoint of how probable cause is developed in cases involving the Internet that lead to a search warrant being issued, and some points on how the search and seizure should be limited based on the kind of probable cause established in an Internet investigation where the target address is developed from an IP address.

First, it must be understood that an IP address is not the Internet address of a particular computer in most instances, but is the Internet address of a router. A router is a device that allows multiple computers to use a single Internet connection, i.e. a single IP address, to connect to the Internet.

When the router happens to be a wireless router, then multiple computers can connect to the Internet via that wireless router from some distance, without ever being in or on the premises that house the wireless router.

How Probable Cause is Developed - File Sharing.

Internet investigations into the sharing of child pornography are cases where probable cause is developed entirely though technology. Using software to locate child porn files on the peer to peer networks, the investigator will use the IP address advertised by the file sharing client to perform a look up to see where the IP address is located and also to get the owner of the IP address. By owner, I mean who has the right to allow someone to use the IP address, which is going to be an Internet Service Provider (ISP). When the investigator finds out the owner information the next step is to issue a subpoena to the ISP to get the account information for the subscriber who is assigned that IP address.

At this point for the purpose of probable cause, the presumption has to be that the physical address of the person who pays the bill for the Internet account that was using the IP address at the time of the investigation is also where the computer will be found that is doing the sharing.

Of course, if the address happens to be a 500 room hotel, then that could be an issue since it might be a stretch to storm the hotel and seize every computer from everyone on the premises including employees and guests. Yet when a search warrant is executed on a house, the same thing happens on a smaller scale. Every computer is seized independent of whether or not there is any evidence at all that one of those computers is the one doing the sharing. Additionally, the way the warrants are worded, anything else can also be seized such as video tapes, CDs, DVDs, magazines, sticky notes, manuals, and the list goes on. Police even seize the computer mouse, keyboard, monitor, and the power supply, items that are pretty unlikely to contain any evidence.

One question that should be raised is whether or not the probable cause developed for an IP address is enough to permit wholesale seizure of computers and storage devices without any idea which if any of them might be the instrument of the suspected crime.

It is not a difficult task, from a technology standpoint, to determine quickly which computer, if any was actually the one that the investigator saw sharing on the Internet. They have the tools in hand to get the GUID if the sharing computer during the investigation. Checking the computers to locate that GUID is simple and fast, thus avoiding having to seize every computer on the premises.

The argument could be made that the software used during the online investigation is acting as an electronic "informant" by telling the investigator the location of the computer doing the sharing. The problem with that argument is the the informant in such a case would not actually know the location of the computer with any more precision than the location of the router in that 500 room hotel. In order for the informant to be a reliable source, it should have to be able to pinpoint the room, not just the hotel.

Another issue that really should be addressed is the fact that computers are closed containers. You cannot tell by looking at them if they contain any evidence at all related to an investigation. So should it be correct that all of the closed containers should be seized and broken open and searched? Here is another analogy to consider. An informant tells an investigator that crack cocaine is present in a car in a parking lot. The information can only provide the address of the parking lot, and nothing about the car that might contain the cocaine.

Since the parking lot is like the router, i.e. lots of cars can park in a parking lot and the address of the lot is only going to get you to a whole bunch of cars, not a particular car; does it make sense to impound and search every car on the lot based on the probable cause that a car parked in the lot might contain cocaine? Shouldn't the probable cause for the warrant specify a particular car, or at least a description of a car that would prevent the wholesale seizure and subsequent search of all the cars? To equate it back to the Internet investigation, the car's license tag number would be the same as the GUID of the file sharing client on computer that was seen sharing on the Internet. Simple and easy to check to attempt to get the right car, not just all cars or the right computer and not just all computers.

6 comments:

There are many definitions for a GUID and one of them is a MAC for the network adapter inside the computer. This number can easily be spoofed with tools like Cain and Abel so would it not be more expedient to seize all the computers and sort it out at the lab?

I am talking about the GUID for the file sharing client specifically. Expediency should never be a consideration when it comes to law enforcement's treatment of civilians. Also, seizing all the computers and sorting them out at the lab is one of the reasons that law enforcement labs have backlogs that are months and even years long. Why should someone who has no involvement be forced to give up their computer for several months on mere suspicion?

I can't help myself. . . You said, "At this point for the purpose of probable cause, the presumption has to be that the physical address of the person who pays the bill for the Internet account that was using the IP address at the time of the investigation is also where the computer will be found that is doing the sharing."

You don't say why. Wasn't that the point of your post? I'd love to have a conversation about "why the presumption has to be. . . " because, it may not.

The why is because this is the kind of boilerplate you see in so many file sharing cases:"A reasonable officer with the proper training and experience could infer and conclude from the logs, that the computer at the reported IP address recently offered for distribution a file with a digital signature of known or suspected child pornography."

The problem with the parking lot analogy is that those cars probably belong to different people who have no relation to one another: most of the time, the computers in the home belong to all of those living there, and they are connected to one another through a network.

About EX FORENSIS

This is where I share my thoughts on the digital forensics field, talk about recent court rulings that impact digital forensics and anything else that comes to mind; mostly serious, sometimes not so much.

All writings on this blog are the original works of the author, Larry E. Daniel, unless otherwise stated, and are subject to the copyright laws of the United States.

Disclaimer

I am not an attorney. Nothing I post in this blog is intended to be, nor should be considered as legal advice. If you have a legal question you should seek the services of a licensed attorney in your area. Guest authors or others who are invited to post here are covered by the same disclaimer. Nothing on this blog is legal advice.